We are crashing because an argument variable is been speculated to be an Int32, but there isn't a corresponding speculation check on entry to the function. When it is call with a non-int value and we OSR exit for some other reason we crash in the baseline JIT because the tag is bogus.
Created attachment 203903 [details]
This fixes the problem by merging the various attributes of a VariableAccessData with the root node of the unified set of VariableAccessData nodes. Before we were merging with a leaf node and therefore the merge didn't propgate to the code generation phase.
This is performance neutral on SunSpider and V8.
Committed r151273: <http://trac.webkit.org/changeset/151273>
*** Bug 116052 has been marked as a duplicate of this bug. ***